[2.6.0-test6-mm4] racoon IKE daemon behaviour on rekeying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi:

I am currently doing some IPsec tunnels tests between two boxes:

PC one: Linux kernel 2.6.0-test6-mm4, setkey version 0.2.2 (Debian
package version 0.2.2-5 recompiled against 2.6.0-test6-mm4 headers).
/etc/racoon/racoon.conf inlined at the end of the message.

PC two: Linux kernel 2.4.22 plus superfreeswan 1.99.8 kernel patches and
FreeS/WAN binaries from Debian freeswan package version 1.96-1.4
/etc/ipsec.conf inlined at the end of the message
NOTE: PC two is a VMware virtual machine,not a real box

+--------+eth0   192.168.1.0/24    eth0+-----------+ .1   172.16.1.0/24
| PC one |-----------------------------| VMware VM |------------- - - -
+--------+ .12                    .150 +-----------+ dummy0
Linux 2.6.0-test6-mm4                  Linux 2.4.22+superFreeS/WAN

(Yes, I know this setup is somewhat hacky, need to get some real hardware ;)


And now for the "problem": the tunnels get stablished correctly,
initiating a connection from PC one to the 172.16.1.0/24 network
configured in the dummy0 interface in the remote "box".

If IPsec key lifes are configured in such a way that timers expire
before in the FreeS/WAN endpoint, it tries to renegotiate Phase 2 SA,
and in "PC one" the logs show:
Oct 13 20:11:55 dardhal racoon: INFO: isakmp.c:1048:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.12[0]<=>192.168.1.150[0]
Oct 13 20:11:55 dardhal racoon: ERROR: isakmp_quick.c:1811:get_sainfo_r(): failed to get sainfo.
Oct 13 20:11:55 dardhal racoon: ERROR: isakmp_quick.c:1045:quick_r1recv(): failed to get sainfo.
Oct 13 20:11:55 dardhal racoon: ERROR: isakmp.c:1062:isakmp_ph2begin_r(): failed to pre-process packet.

Note "passive off;" in section "remote 192.168.1.150" of "racoon.conf". If,
in the other hand, SA timers expire before in the "PC one", and it
initiates the Phase 2 negotiation, everything works as expected.

When you change "passive off;" to "passive on;" in racoon.conf and
repeat the test (with timers expiring first on the remote box) you
cannot initiate the connection from this box.

So the question is, is this expected behaviour, and the user has to
ensure that timers will expire first on the initiator ?. Or maybe I am
doing something wrong ?.

Regards.

----- BEGIN PC one racoon.conf-----
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
# IKE Phase 1 (aggressive vs. main modes)
remote 192.168.1.150
{
 	exchange_mode main;
 	situation identity_only;

	my_identifier address 192.168.1.12;
	peers_identifier address 192.168.1.150;

	lifetime time 2 hours;   # sec,min,hour
	initial_contact off;
	passive off;
	proposal_check claim;	# obey, strict or claim

	proposal {
	        encryption_algorithm 3des;
	        hash_algorithm sha1;
	        authentication_method pre_shared_key;
	        dh_group modp1024 ;
	}
}
# IKE Phase 2 (quick mode)
sainfo address 192.168.1.12/32 any address 172.16.1.0/24 any {
	pfs_group modp1024;
	lifetime time 2 min;
	encryption_algorithm
	rijndael256,rijndael128,twofish,blowfish,3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
}
# IKE Phase 2 (quick mode)
sainfo address 172.16.1.0/24 any address 192.168.1.12/32 any {
	pfs_group modp1024;
	lifetime time 3 min;
	encryption_algorithm
	rijndael256,rijndael128,twofish,blowfish,3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
}
----- END PC one racoon.conf -----

----- BEGIN PC one security policy -----
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.1.12/32[any] 172.16.1.0/24[any] any -P out ipsec
    esp/tunnel/192.168.1.12-192.168.1.150/require;

spdadd 172.16.1.0/24[any] 192.168.1.12/32[any] any -P in ipsec
    esp/tunnel/192.168.1.150-192.168.1.12/require;
----- END PC one security policy  -----

----- BEGIN PC two ipsec.conf  -----
# basic configuration
config setup
	interfaces="ipsec0=eth0"
	klipsdebug=none
	plutodebug=none
	plutoload=%search
	plutostart=%search
	uniqueids=yes

conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%dns
	rightrsasigkey=%dns

conn pc-to-net
	type=tunnel
	auth=esp
	authby=secret
	rekeyfuzz=0%
	rekeymargin=1m
	ikelifetime=2h
	keylife=20m
	# Left, el PC principal
	left=192.168.1.12
	leftid=192.168.1.12
	leftsubnet=192.168.1.12/32
	leftnexthop=192.168.1.150
	# Right, el VMware con Debian Woody
	right=192.168.1.150
	rightid=192.168.1.150
	rightsubnet=172.16.1.0/24
	rightnexthop=192.168.1.12
	auto=add
----- END PC two ipsec.conf  -----

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Sid (Linux 2.6.0-test6-mm4-lirc)
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux